You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@spark.apache.org by GitBox <gi...@apache.org> on 2021/10/22 01:07:15 UTC

[GitHub] [spark] wangyum opened a new pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

wangyum opened a new pull request #34362:
URL: https://github.com/apache/spark/pull/34362


   ### What changes were proposed in this pull request?
   
   This pr backport HIVE-21498 to upgrade libthrift to 0.13.0.
   
   ### Why are the changes needed?
   
   To addresses CVEs:
   
   Component Name | Component Version Name | Vulnerability | Fixed version
   -- | -- | -- | --
   Apache Thrift | 0.11.0-4. | [CVE-2019-0205](https://nvd.nist.gov/vuln/detail/CVE-2019-0205) | 0.13.0
   Apache Thrift | 0.11.0-4. | CVE-2019-0210 | 0.13.0
   
   ### Does this PR introduce _any_ user-facing change?
   
   No.
   
   ### How was this patch tested?
   
   Existing test.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

srowen commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1046316449


   Merged to master. I'll look at the backports next


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] AmplabJenkins commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

AmplabJenkins commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949417333


   
   Refer to this link for build results (access rights to CI server needed): 
   https://amplab.cs.berkeley.edu/jenkins//job/SparkPullRequestBuilder/144529/
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] AmplabJenkins commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

AmplabJenkins commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949283731


   
   Refer to this link for build results (access rights to CI server needed): 
   https://amplab.cs.berkeley.edu/jenkins//job/SparkPullRequestBuilder/144522/
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] SparkQA removed a comment on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

SparkQA removed a comment on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949305726


   **[Test build #144529 has started](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/144529/testReport)** for PR 34362 at commit [`affe2f6`](https://github.com/apache/spark/commit/affe2f64457c67c133e45cfd6de372649d10e2cb).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] dongjoon-hyun commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

dongjoon-hyun commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1041257636


   No problem. Please let us know when the PR is ready, @wangyum . 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on a change in pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

srowen commented on a change in pull request #34362:
URL: https://github.com/apache/spark/pull/34362#discussion_r734232033



##########
File path: sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/TSetIpAddressProcessor.java
##########
@@ -45,11 +45,12 @@ public TSetIpAddressProcessor(Iface iface) {
   }
 
   @Override
-  public boolean process(final TProtocol in, final TProtocol out) throws TException {
+  public void process(final TProtocol in, final TProtocol out) throws TException {

Review comment:
       I have no idea, does this cause problems across hive versions, if we modify this copy of the Hive code?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] SparkQA commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

SparkQA commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949252676


   Kubernetes integration test status failure
   URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/48993/
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] dongjoon-hyun edited a comment on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

dongjoon-hyun edited a comment on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1030919169


   > I updated the description manually; I think this is good to go?
   
   We have no evidence that this PR passes the CIs, don't we, @srowen ? As I mentioned here (https://github.com/apache/spark/pull/34362#pullrequestreview-867034822), the latest CI failed.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] wangyum commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

wangyum commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949150067


   cc @HyukjinKwon @juliuszsompolski We can upgrade to 0.13.0 first. If 0.16.0 is released, we can upgrade to 0.16.0 because we need [this patch](https://github.com/apache/thrift/pull/2470).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] wangyum commented on a change in pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

wangyum commented on a change in pull request #34362:
URL: https://github.com/apache/spark/pull/34362#discussion_r734242476



##########
File path: dev/deps/spark-deps-hadoop-3.2-hive-2.3
##########
@@ -120,6 +120,7 @@ jakarta.ws.rs-api/2.1.6//jakarta.ws.rs-api-2.1.6.jar
 jakarta.xml.bind-api/2.3.2//jakarta.xml.bind-api-2.3.2.jar
 janino/3.0.16//janino-3.0.16.jar
 javassist/3.25.0-GA//javassist-3.25.0-GA.jar
+javax.annotation-api/1.3.2//javax.annotation-api-1.3.2.jar

Review comment:
       I have removed javax.annotation-api-1.3.2.jar. It seems we do not need it:
   ```
   LM-SHC-16508156:thrift yumwang$ grep -ER "javax.annotation" .
   ./lib/java/gradle/environment.gradle:ext.javaxAnnotationVersion = property('javax.annotation.version')
   ./lib/java/gradle/environment.gradle:    compile "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}"
   Binary file ./lib/java/.gradle/5.6.4/executionHistory/executionHistory.bin matches
   Binary file ./lib/java/.gradle/5.6.4/javaCompile/classAnalysis.bin matches
   Binary file ./lib/java/.gradle/5.6.4/javaCompile/taskHistory.bin matches
   ./lib/java/gradle.properties:javax.annotation.version=1.3.2
   ./lib/java/build/poms/pom-default.xml:      <groupId>javax.annotation</groupId>
   ./lib/java/build/poms/pom-default.xml:      <artifactId>javax.annotation-api</artifactId>
   Binary file ./lib/java/build/deps/javax.annotation-api-1.3.2.jar matches
   ./lib/java/build/tmp/javadoc/javadoc.options:-classpath '/Users/yumwang/opensource/thrift/lib/java/build/classes/java/main:/Users/yumwang/opensource/thrift/lib/java/build/resources/main:/Users/yumwang/.gradle/caches/modules-2/files-2.1/org.slf4j/slf4j-api/1.7.28/2cd9b264f76e3d087ee21bfc99305928e1bdb443/slf4j-api-1.7.28.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.10/7ca2e4276f4ef95e4db725a8cd4a1d1e7585b9e5/httpclient-4.5.10.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpcore/4.4.12/21ebaf6d532bc350ba95bd81938fa5f0e511c132/httpcore-4.4.12.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/javax.servlet/javax.servlet-api/4.0.1/a27082684a2ff0bf397666c3943496c44541d1ca/javax.servlet-api-4.0.1.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/javax.annotation/javax.annotation-api/1.3.2/934c04d3cfef185a8008e7bf34331b79730a9d43/javax.annotation-api-1.3.2.jar:/Users/yumwang/.gradle/caches/modules
 -2/files-2.1/commons-logging/commons-logging/1.2/4bfc12adfe4842bf07b657f0369c4cb522955686/commons-logging-1.2.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar'
   ./compiler/cpp/src/thrift/generate/t_java_generator.cc:  indent(out) << "@javax.annotation.Generated(value = \"" << autogen_summary() << "\"";
   ```




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] wangyum commented on a change in pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

wangyum commented on a change in pull request #34362:
URL: https://github.com/apache/spark/pull/34362#discussion_r734238451



##########
File path: pom.xml
##########
@@ -2442,6 +2442,10 @@
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>
           </exclusion>
+          <exclusion>
+            <groupId>javax.annotation</groupId>
+            <artifactId>javax.annotation-api</artifactId>
+          </exclusion>

Review comment:
       It seems we do not need it:
   ```
   LM-SHC-16508156:thrift yumwang$ grep -ER "javax.annotation" .
   ./lib/java/gradle/environment.gradle:ext.javaxAnnotationVersion = property('javax.annotation.version')
   ./lib/java/gradle/environment.gradle:    compile "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}"
   Binary file ./lib/java/.gradle/5.6.4/executionHistory/executionHistory.bin matches
   Binary file ./lib/java/.gradle/5.6.4/javaCompile/classAnalysis.bin matches
   Binary file ./lib/java/.gradle/5.6.4/javaCompile/taskHistory.bin matches
   ./lib/java/gradle.properties:javax.annotation.version=1.3.2
   ./lib/java/build/poms/pom-default.xml:      <groupId>javax.annotation</groupId>
   ./lib/java/build/poms/pom-default.xml:      <artifactId>javax.annotation-api</artifactId>
   Binary file ./lib/java/build/deps/javax.annotation-api-1.3.2.jar matches
   ./lib/java/build/tmp/javadoc/javadoc.options:-classpath '/Users/yumwang/opensource/thrift/lib/java/build/classes/java/main:/Users/yumwang/opensource/thrift/lib/java/build/resources/main:/Users/yumwang/.gradle/caches/modules-2/files-2.1/org.slf4j/slf4j-api/1.7.28/2cd9b264f76e3d087ee21bfc99305928e1bdb443/slf4j-api-1.7.28.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.10/7ca2e4276f4ef95e4db725a8cd4a1d1e7585b9e5/httpclient-4.5.10.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpcore/4.4.12/21ebaf6d532bc350ba95bd81938fa5f0e511c132/httpcore-4.4.12.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/javax.servlet/javax.servlet-api/4.0.1/a27082684a2ff0bf397666c3943496c44541d1ca/javax.servlet-api-4.0.1.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/javax.annotation/javax.annotation-api/1.3.2/934c04d3cfef185a8008e7bf34331b79730a9d43/javax.annotation-api-1.3.2.jar:/Users/yumwang/.gradle/caches/modules
 -2/files-2.1/commons-logging/commons-logging/1.2/4bfc12adfe4842bf07b657f0369c4cb522955686/commons-logging-1.2.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar'
   ./compiler/cpp/src/thrift/generate/t_java_generator.cc:  indent(out) << "@javax.annotation.Generated(value = \"" << autogen_summary() << "\"";
   
   ```




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

srowen commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1028005099


   Ping @wangyum 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] wangyum commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

wangyum commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1038565933


   Sorry. I was on Chinese new year holiday last 2 weeks. I used to test [Thrift 0.16-rc0](https://www.mail-archive.com/dev@thrift.apache.org/msg51912.html), Thrift 0.16 has not been officially released.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] AmplabJenkins commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

AmplabJenkins commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949350101


   
   Refer to this link for build results (access rights to CI server needed): 
   https://amplab.cs.berkeley.edu/jenkins//job/SparkPullRequestBuilder-K8s/49000/
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

srowen commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949645945


   Hm, looks like our Java 8 tests pass though. It _might_ not affect Spark, but that makes me uneasy.
   I suppose we can wait for 0.16.0, but not sure how many months away that is.
   I wouldn't oppose merging this to move forward a bit


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

srowen commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1030921269


   Ah I see the tests passing but did not all applicable tests run? Is it because the tests need to be enabled to run in the submitter's acct?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] wangyum commented on a change in pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

wangyum commented on a change in pull request #34362:
URL: https://github.com/apache/spark/pull/34362#discussion_r809735466



##########
File path: sql/hive/src/main/java/org/apache/thrift/transport/TFramedTransport.java
##########
@@ -0,0 +1,200 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.thrift.transport;
+
+
+import org.apache.thrift.TByteArrayOutputStream;
+import org.apache.thrift.TConfiguration;
+
+/**
+ * This is based on libthrift-0.12.0 {@link org.apache.thrift.transport.TFramedTransport}.
+ * To fix class of org.apache.thrift.transport.TFramedTransport not found after upgrading libthrift.
+ *
+ * TFramedTransport is a buffered TTransport that ensures a fully read message
+ * every time by preceding messages with a 4-byte frame size.
+ */

Review comment:
       Origin Java class: https://github.com/apache/thrift/blob/0.12.0/lib/java/src/org/apache/thrift/transport/TFramedTransport.java




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] dongjoon-hyun commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

dongjoon-hyun commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1032238721


   - No, no tests ran. It was a build error due to `Could not find artifact org.apache.thrift:libthrift:jar:0.16.0 ` as I wrote in the previous comment.
   - When you cannot check the result in Apache Spark repo, you need to visit their branch because sometimes GitHub Action notification doesn't work properly. In this PR, the following is his branch. And, you can see the actual GitHub Action result at the commit.
       - https://github.com/wangyum/spark/tree/SPARK-37090


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen closed pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

srowen closed pull request #34362:
URL: https://github.com/apache/spark/pull/34362


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] dongjoon-hyun commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

dongjoon-hyun commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1056364919


   Hi, All. This is reverted from all branches due to the regression.
   Please see https://github.com/apache/spark/pull/35646


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

srowen commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1046316570


   Oh @wangyum do you have pull requests for the backports? the content looks OK, just bears testing


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] dongjoon-hyun commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

dongjoon-hyun commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1046314651


   Thank you for asking, @srowen . Sounds reasonable. No objection for backporting from my side.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

srowen commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1046313863


   One last check from @dongjoon-hyun maybe; this and backports looks OK


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] AmplabJenkins removed a comment on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

AmplabJenkins removed a comment on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949262279


   
   Refer to this link for build results (access rights to CI server needed): 
   https://amplab.cs.berkeley.edu/jenkins//job/SparkPullRequestBuilder-K8s/48993/
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] AmplabJenkins removed a comment on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

AmplabJenkins removed a comment on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949283731


   
   Refer to this link for build results (access rights to CI server needed): 
   https://amplab.cs.berkeley.edu/jenkins//job/SparkPullRequestBuilder/144522/
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] dongjoon-hyun commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

dongjoon-hyun commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1025063230


   I converted it back to `Ready for Review` because I did it before before Apache Spark 3.2.1 release.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

srowen commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1044861666


   Looks like librthrift 0.16.0 was released and this passes, so should be good to go. Thoughts about backporting this to 3.2 and 3.1? (3.0, I presume, is EOL now). I guess I'm inclined to unless there is a non-trivial risk of breaking something, like Hadoop 2 compatibility


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] wangyum commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

wangyum commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1046146953


   This is for branch 3.2 and 3.1:
   https://github.com/apache/spark/compare/branch-3.2...wangyum:SPARK-37090-branch-3.2?expand=1
   https://github.com/apache/spark/compare/branch-3.1...wangyum:SPARK-37090-branch-3.1?expand=1


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] SparkQA commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

SparkQA commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949237162


   Kubernetes integration test starting
   URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/48993/
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] wangyum commented on a change in pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

wangyum commented on a change in pull request #34362:
URL: https://github.com/apache/spark/pull/34362#discussion_r734238451



##########
File path: pom.xml
##########
@@ -2442,6 +2442,10 @@
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>
           </exclusion>
+          <exclusion>
+            <groupId>javax.annotation</groupId>
+            <artifactId>javax.annotation-api</artifactId>
+          </exclusion>

Review comment:
       It seems we do not need it:
   ```
   LM-SHC-16508156:thrift yumwang$ grep -ER "javax.annotation" .
   ./lib/java/gradle/environment.gradle:ext.javaxAnnotationVersion = property('javax.annotation.version')
   ./lib/java/gradle/environment.gradle:    compile "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}"
   Binary file ./lib/java/.gradle/5.6.4/executionHistory/executionHistory.bin matches
   Binary file ./lib/java/.gradle/5.6.4/javaCompile/classAnalysis.bin matches
   Binary file ./lib/java/.gradle/5.6.4/javaCompile/taskHistory.bin matches
   ./lib/java/gradle.properties:javax.annotation.version=1.3.2
   ./lib/java/build/poms/pom-default.xml:      <groupId>javax.annotation</groupId>
   ./lib/java/build/poms/pom-default.xml:      <artifactId>javax.annotation-api</artifactId>
   Binary file ./lib/java/build/deps/javax.annotation-api-1.3.2.jar matches
   ./lib/java/build/tmp/javadoc/javadoc.options:-classpath '/Users/yumwang/opensource/thrift/lib/java/build/classes/java/main:/Users/yumwang/opensource/thrift/lib/java/build/resources/main:/Users/yumwang/.gradle/caches/modules-2/files-2.1/org.slf4j/slf4j-api/1.7.28/2cd9b264f76e3d087ee21bfc99305928e1bdb443/slf4j-api-1.7.28.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.10/7ca2e4276f4ef95e4db725a8cd4a1d1e7585b9e5/httpclient-4.5.10.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpcore/4.4.12/21ebaf6d532bc350ba95bd81938fa5f0e511c132/httpcore-4.4.12.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/javax.servlet/javax.servlet-api/4.0.1/a27082684a2ff0bf397666c3943496c44541d1ca/javax.servlet-api-4.0.1.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/javax.annotation/javax.annotation-api/1.3.2/934c04d3cfef185a8008e7bf34331b79730a9d43/javax.annotation-api-1.3.2.jar:/Users/yumwang/.gradle/caches/modules
 -2/files-2.1/commons-logging/commons-logging/1.2/4bfc12adfe4842bf07b657f0369c4cb522955686/commons-logging-1.2.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar'
   ./compiler/cpp/src/thrift/generate/t_java_generator.cc:  indent(out) << "@javax.annotation.Generated(value = \"" << autogen_summary() << "\"";
   
   ```




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] SparkQA commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

SparkQA commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949305726


   **[Test build #144529 has started](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/144529/testReport)** for PR 34362 at commit [`affe2f6`](https://github.com/apache/spark/commit/affe2f64457c67c133e45cfd6de372649d10e2cb).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] wangyum commented on a change in pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

wangyum commented on a change in pull request #34362:
URL: https://github.com/apache/spark/pull/34362#discussion_r734240298



##########
File path: sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/TSetIpAddressProcessor.java
##########
@@ -45,11 +45,12 @@ public TSetIpAddressProcessor(Iface iface) {
   }
 
   @Override
-  public boolean process(final TProtocol in, final TProtocol out) throws TException {
+  public void process(final TProtocol in, final TProtocol out) throws TException {

Review comment:
       This change copied from Hive:
   https://github.com/apache/hive/commit/1945e2f67e5b09cdda40146b87e1ba492f897196#diff-8f288ca198b08c9f716e68a6743ae8937b4740b69f9019c10925fb8d8083a0b0




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] SparkQA commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

SparkQA commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949192271


   **[Test build #144522 has started](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/144522/testReport)** for PR 34362 at commit [`8d9e375`](https://github.com/apache/spark/commit/8d9e3757055426241c9c17b2199608092d9e42f7).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] yaooqinn commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

yaooqinn commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949453095


   Interesting, `Thrift 0.13.0 does not work with JDK8` per https://issues.apache.org/jira/browse/THRIFT-5274


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] wangyum commented on a change in pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

wangyum commented on a change in pull request #34362:
URL: https://github.com/apache/spark/pull/34362#discussion_r734242476



##########
File path: dev/deps/spark-deps-hadoop-3.2-hive-2.3
##########
@@ -120,6 +120,7 @@ jakarta.ws.rs-api/2.1.6//jakarta.ws.rs-api-2.1.6.jar
 jakarta.xml.bind-api/2.3.2//jakarta.xml.bind-api-2.3.2.jar
 janino/3.0.16//janino-3.0.16.jar
 javassist/3.25.0-GA//javassist-3.25.0-GA.jar
+javax.annotation-api/1.3.2//javax.annotation-api-1.3.2.jar

Review comment:
       I removed javax.annotation-api-1.3.2.jar. It seems we do not need it:
   ```
   LM-SHC-16508156:thrift yumwang$ grep -ER "javax.annotation" .
   ./lib/java/gradle/environment.gradle:ext.javaxAnnotationVersion = property('javax.annotation.version')
   ./lib/java/gradle/environment.gradle:    compile "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}"
   Binary file ./lib/java/.gradle/5.6.4/executionHistory/executionHistory.bin matches
   Binary file ./lib/java/.gradle/5.6.4/javaCompile/classAnalysis.bin matches
   Binary file ./lib/java/.gradle/5.6.4/javaCompile/taskHistory.bin matches
   ./lib/java/gradle.properties:javax.annotation.version=1.3.2
   ./lib/java/build/poms/pom-default.xml:      <groupId>javax.annotation</groupId>
   ./lib/java/build/poms/pom-default.xml:      <artifactId>javax.annotation-api</artifactId>
   Binary file ./lib/java/build/deps/javax.annotation-api-1.3.2.jar matches
   ./lib/java/build/tmp/javadoc/javadoc.options:-classpath '/Users/yumwang/opensource/thrift/lib/java/build/classes/java/main:/Users/yumwang/opensource/thrift/lib/java/build/resources/main:/Users/yumwang/.gradle/caches/modules-2/files-2.1/org.slf4j/slf4j-api/1.7.28/2cd9b264f76e3d087ee21bfc99305928e1bdb443/slf4j-api-1.7.28.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.10/7ca2e4276f4ef95e4db725a8cd4a1d1e7585b9e5/httpclient-4.5.10.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpcore/4.4.12/21ebaf6d532bc350ba95bd81938fa5f0e511c132/httpcore-4.4.12.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/javax.servlet/javax.servlet-api/4.0.1/a27082684a2ff0bf397666c3943496c44541d1ca/javax.servlet-api-4.0.1.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/javax.annotation/javax.annotation-api/1.3.2/934c04d3cfef185a8008e7bf34331b79730a9d43/javax.annotation-api-1.3.2.jar:/Users/yumwang/.gradle/caches/modules
 -2/files-2.1/commons-logging/commons-logging/1.2/4bfc12adfe4842bf07b657f0369c4cb522955686/commons-logging-1.2.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar'
   ./compiler/cpp/src/thrift/generate/t_java_generator.cc:  indent(out) << "@javax.annotation.Generated(value = \"" << autogen_summary() << "\"";
   ```




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] AmplabJenkins removed a comment on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

AmplabJenkins removed a comment on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949350101






-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] AmplabJenkins commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

AmplabJenkins commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949262279


   
   Refer to this link for build results (access rights to CI server needed): 
   https://amplab.cs.berkeley.edu/jenkins//job/SparkPullRequestBuilder-K8s/48993/
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] SparkQA commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

SparkQA commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949275575


   **[Test build #144522 has finished](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/144522/testReport)** for PR 34362 at commit [`8d9e375`](https://github.com/apache/spark/commit/8d9e3757055426241c9c17b2199608092d9e42f7).
    * This patch passes all tests.
    * This patch merges cleanly.
    * This patch adds no public classes.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] dongjoon-hyun commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

dongjoon-hyun commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-950593129


   Thank you for pinging me, @HyukjinKwon .
   cc @sunchao 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] dongjoon-hyun commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

dongjoon-hyun commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-960494136


   Let's wait for a while since this is not for Apache Spark 3.2.1.
   To prevent accidental merging, I converted this PR to the draft, @wangyum .


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

srowen commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1030856153


   I updated the description manually; I think this is good to go?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] dongjoon-hyun commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

dongjoon-hyun commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1030919169


   > I updated the description manually; I think this is good to go?
   
   We have no evidence that this PS passes the CIs, don't we, @srowen ? As I mentioned here (https://github.com/apache/spark/pull/34362#pullrequestreview-867034822), the latest CI failed.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] HyukjinKwon commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

HyukjinKwon commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949152726


   cc 
   @srowen and @dongjoon-hyun too FYI


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] SparkQA removed a comment on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

SparkQA removed a comment on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949192271


   **[Test build #144522 has started](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/144522/testReport)** for PR 34362 at commit [`8d9e375`](https://github.com/apache/spark/commit/8d9e3757055426241c9c17b2199608092d9e42f7).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on a change in pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

srowen commented on a change in pull request #34362:
URL: https://github.com/apache/spark/pull/34362#discussion_r734231884



##########
File path: dev/deps/spark-deps-hadoop-3.2-hive-2.3
##########
@@ -120,6 +120,7 @@ jakarta.ws.rs-api/2.1.6//jakarta.ws.rs-api-2.1.6.jar
 jakarta.xml.bind-api/2.3.2//jakarta.xml.bind-api-2.3.2.jar
 janino/3.0.16//janino-3.0.16.jar
 javassist/3.25.0-GA//javassist-3.25.0-GA.jar
+javax.annotation-api/1.3.2//javax.annotation-api-1.3.2.jar

Review comment:
       Minor but legitimate thing we should do: update LICENSE-binary to add a line about the licensing of this, which is dual licensed as CDDL 1.1 and GPL + classpath. Just add one line around...
   
   ```
   Common Development and Distribution License (CDDL) 1.1
   ------------------------------------------------------
   
   javax.el:javax.el-api	https://javaee.github.io/uel-ri/
   javax.servlet.jsp:jsp-api
   ```
   
   I suppose we need a copy of the license text in licenses-binary too, ideally
   https://github.com/javaee/javax.annotation/blob/master/LICENSE




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] SparkQA commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

SparkQA commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949402270


   **[Test build #144529 has finished](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/144529/testReport)** for PR 34362 at commit [`affe2f6`](https://github.com/apache/spark/commit/affe2f64457c67c133e45cfd6de372649d10e2cb).
    * This patch passes all tests.
    * This patch merges cleanly.
    * This patch adds no public classes.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on a change in pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

srowen commented on a change in pull request #34362:
URL: https://github.com/apache/spark/pull/34362#discussion_r734553574



##########
File path: dev/deps/spark-deps-hadoop-3.2-hive-2.3
##########
@@ -120,6 +120,7 @@ jakarta.ws.rs-api/2.1.6//jakarta.ws.rs-api-2.1.6.jar
 jakarta.xml.bind-api/2.3.2//jakarta.xml.bind-api-2.3.2.jar
 janino/3.0.16//janino-3.0.16.jar
 javassist/3.25.0-GA//javassist-3.25.0-GA.jar
+javax.annotation-api/1.3.2//javax.annotation-api-1.3.2.jar

Review comment:
       OK, I'm sure we don't use it directly, but that doesn't mean thrift doesn't need it.
   That said, it's just a set of annotations, which are usually optional.
   We exclude this elsewhere, so I think this is OK.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] SparkQA commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

SparkQA commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949325426


   Kubernetes integration test starting
   URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/49000/
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] SparkQA commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities

Posted by GitBox <gi...@apache.org>.

SparkQA commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949350072


   Kubernetes integration test status failure
   URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/49000/
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org